In the previous chapter, we analyzed the issues associated with smart-phone operating systems, and explored various alternatives for gaining greater control over your phone. But choosing a good operating system isn't enough: to ensure real security and confidentiality, it's important to adopt a few good practices in your day-to-day use.

In this chapter, we'll take a step-by-step look at some basic recommendations that apply regardless of your smartphone Operating System.

I'm going to repeat myself here, but every update released by developers potentially includes important security patches. What's more, smartphones are exposed to numerous risks due to their huge attack surface: Via mobile networks, third-party applications, wireless communications (Wi-Fi, Bluetooth, NFC, etc.).

Not applying these updates means deliberately leaving open known vulnerabilities, publicly documented in databases such as CVE (Common Vulnerabilities and Exposures). These flaws are sometimes automatically exploited by tools available online, without even requiring advanced skills. This makes an out-of-date phone an ideal target, even for large-scale automated attacks.

It is therefore essential to enable automatic updates in your system settings, and to manually check every week that your device has the latest security patches. On Android, this is usually done in Settings > Security > System Update, and on iOS in Settings > General > Software Update.

Not all smartphones are created equal when it comes to software support. Many entry-level and mid-range devices stop receiving critical updates after just two or three years, exposing you to increasingly serious risks.

However, some brands have very good software support, notably Google (7 years), Fairphone (5 to 7 years), Samsung (5 to 7 years) and Apple (5 to 7 years). This criterion is very important when buying a new phone: A durable device is first and foremost a maintained device.

Mobile applications represent a major source of risk: It's through them that the majority of modern Android malware passes. Installing an application via an .apk file received from an unknown site, or from an uncertified store, means taking the risk of installing a program that is deliberately malicious, or modified to include spying or data-stealing functions.

Even on official stores like Google Play Store or Apple App Store, you need to remain vigilant. Despite filtering mechanisms, malicious applications regularly manage to sneak in. For example, "Sparrow wallet" applications can sometimes be seen on the Play Store, even though this software only exists on PCs: This is undoubtedly a fraudulent application.

Before installing, take the time to check a few things: permissions required, number of downloads, overall rating, date of last update and user reviews.

On Android, alternative open-source stores such as F-Droid offer a more ethical and often more secure solution: each application is compiled from free sources, and manually audited. For necessary proprietary applications, tools like Aurora Store allow access to the Play Store without a Google account, which limits data collection.

In addition to the Operating System, the applications installed on your smartphone also need to be kept up to date. You can activate automatic updates via your app store settings, and get into the habit of running a manual check at least once a week.

On Android, if you install applications via .apk files, you'll need to manage updates manually. Indeed, these applications installed outside official channels have no automatic update mechanism. So you'll need to regularly check the versions released by developers on GitHub or on their official website.

On a smartphone, any application can request direct access to sensitive resources: Microphone, camera, precise geographic position, address book, files, SMS, motion sensors, etc. Such access is not trivial: Technically, when permission is granted, the application can exploit it in the background, on a continuous or ad hoc basis, sometimes without visible notification. That's why it's important to apply the principle of least privilege: to give each application only those authorizations that are strictly essential to its minimal operation.

For example, a flashlight application doesn't need access to your contacts or geolocation. A weather application can work with manual localization, without GPS access. A PDF reader doesn't need to use the microphone or SMS. If in doubt, always refuse by default, then re-evaluate if the application isn't working properly. On some systems, it is also possible to grant authorizations only temporarily: either for a single use, or only when the application is running. This prevents an application from exploiting certain permissions in the background without your knowledge.

Android and iOS now offer granular permission control. You can manage them by application or by permission type. Take the time, once a month for example, to check active permissions via your phone's settings.

Some systems also allow you to automatically revoke authorizations granted to an application after a certain period of non-use. This limits the risks if you forget to uninstall an application.

The physical security of a smartphone begins with its lock screen. This is the first barrier between a potential attacker and access to your personal data. The most reliable means is still the PIN code or complex password.

On the other hand, unlocking methods such as graphical schemes are strongly discouraged. Such schemes leave visible traces on the screen, are easy to memorize for a third party observing your gesture, and are rarely sufficiently complex.

Biometric systems (facial recognition or fingerprinting) offer obvious convenience, but should be used with caution. In the event of physical constraint (theft, police pressure, etc.), the fingerprint or face can be used without your active consent. In some countries, the use of biometrics does not enjoy the same legal protection as the secrecy of a password.

On the other hand, biometric systems can be circumvented (or could be in the future) using techniques such as visual face reproduction or the recovery of latent fingerprints on a surface. Their reliability also depends heavily on the security level of your device: For example, Apple's Face ID facial recognition is far more rigorous than that of some entry-level smartphones.

To sum up, here is the ranking from the best smartphone locking system to the worst:

For sensitive devices, the best solution is a password combined with biometric deactivation, with manual unlocking only. This may seem restrictive, but it's the best way to ensure protection. Obviously, for a PIN code or alphanumeric password, the longer and more random the better. It must also be resistant to brute force attacks.

As we have seen in previous chapters, compartmentalization is an important practice for limiting the risks in the event of a compromise to one part of the system. By creating separate environments for your different activities, you prevent an attack or data leak in one area from contaminating your entire device. On Android, this strategy can be implemented through a number of built-in mechanisms.

The Work Profile is a feature native to Android (since Android 5.0), which allows you to create a separate software partition within the same smartphone. In practical terms, this profile functions as an isolated container: Applications, accounts and data stored in this space cannot interact with those in the personal profile. This separation prevents data leakage between the two spaces, and limits access rights for applications. This feature is often managed internally within companies, but there are also ways of using it personally to isolate applications.

The Shelter tool is an open-source application that exploits this Work Profile feature of the Android system to offer non-professional users a simple way of creating an isolated environment. Shelter can be used to install and run sensitive applications in a protected space, greatly reducing their exposure to other software installed on the phone.

To take the separation of uses even further, it is possible to opt for the use of several physical devices, each dedicated to a different type of activity (personal, professional or sensitive). This physical separation ensures complete isolation, much stricter than software segmentation, since each phone operates completely independently.

If one smartphone is compromised, the others remain intact. This physical partitioning also has the advantage of simplifying the management of access and permissions on each device, and reduces overall exposure to potential threats.

Your smartphone is in constant communication with the outside world, whether via Wi-Fi, Bluetooth, NFC, GPS or mobile networks. Each of these channels represents a potential attack surface. Understanding how they work and securing them is therefore important for limiting risks.

Public Wi-Fi networks, such as those in cafes, hotels or public transport, are rarely secure. Even when they do require a password, it is often shared between many users, and the encryption applied is sometimes easily bypassed. An attacker connected to the same network can intercept your packets, capture credentials or inject malicious content via Man-in-the-Middle attacks.

To protect yourself, simply avoid using these public networks, or use a VPN, which will create an encrypted tunnel between your device and a remote server. This tunnel encapsulates your data, making it extremely difficult to intercept or modify.

As for your home Wi-Fi network, we'll talk about that in the last part of the SCU 202 course.

Bluetooth (wireless protocol for short-range communications), NFC (Near Field Communication) and GPS (satellite positioning) are enabled by default on many smartphones. These technologies can be used as a gateway for local attacks: Remote code execution, unauthorized access, location tracking, even interception of communications in the case of Bluetooth (BlueBorne vulnerabilities, for example).

To limit these risks, always disable these functions when you are not using them. This drastically reduces the attack surface and prevents any attempt at exploitation.

Smartphones are in constant communication with the base stations of telephone operators. This communication can be hijacked by certain IMSI Catchers, which simulate base stations to intercept your mobile data. These attacks enable a third party to identify your device, track your movements and, in some cases, intercept calls and messages.

Some applications, such as SnoopSnitch on Android, can detect suspicious behavior in your exchanges with the network. These tools analyze the metadata of mobile communications and can alert you to changes in radio configuration or abnormal behavior, making you more vigilant against interception attempts.

The best way to secure your communications is to use secure messaging applications, whether for calls or messages. These applications don't use the mobile network, and ensure that exchanges are properly encrypted. We'll look at this subject in more detail in the next chapter.

The usefulness of antivirus software on smartphones is often overestimated, largely due to aggressive marketing campaigns. Real threats on mobiles, especially Android, are generally linked to the installation of malicious applications from unofficial sources. On a device that is regularly updated, carefully configured (particularly in terms of authorizations), and uses only official or verified sources, the risk of infection is very low.

Also, Android devices are already equipped by default with Google Play Protect, which acts as an antivirus. Third-party antivirus applications use the same interface scanner, which simply adds redundancy. In practice, then, mobile antivirus offers little added value, whether on Android or iOS.

What's more, these applications can induce a false sense of security in users, leading them to believe that they are totally protected against threats, when in fact they offer only reactive protection. They offer no protection against phishing, nor against excessive permissions granted to applications, even though most threats to smartphones come from precisely these vectors.

Their real usefulness is therefore very limited, and these applications are sometimes costly, needlessly consuming battery power and resources. It's better not to use them, and simply to adopt the best practices presented in this chapter.

There are also smartphone firewall apps, such as NetGuard or RethinkDNS, which act as a local firewall directly on your device. They use Android's VPN API to intercept all outgoing traffic, without requiring root access.

In practical terms, this means you can individually block Internet access for certain applications, thereby considerably reducing the risk of unwanted data collection or unauthorized communications.

NetGuard, for example, lets you manage Internet access on an application-by-application basis, for both Wi-Fi and mobile data. RethinkDNS also offers advanced features such as DNS filtering, ad blocking and DNS query inspection to detect potential leaks.

Regular backup of your smartphone data is very important for your security. But this backup must be encrypted, to prevent your sensitive data from being accessed by anyone who gets their hands on your backup media. This applies equally to photos, documents and application data.

To achieve this, you should use encrypted local solutions, such as an external disk or an encrypted USB key (e.g. with Veracrypt). Failing that, self-hosted cloud solutions such as Syncthing or Nextcloud allow you to back up your data on a personal server, while retaining total control over access and confidentiality. Unlike commercial cloud services (Google Drive, iCloud...), these solutions considerably limit the exposure of your information to third parties.

A lost or stolen smartphone can become a rich source of information for an attacker: Personal data, browsing histories, connected accounts, etc. It may therefore make sense to configure native functions for locating, locking and remote wiping your device.

On Android, you can use Find My Device from Google Settings. On iOS, Find My iPhone plays the same role, accessible from iCloud. These tools allow you to immediately lock access, ring the device to locate it, or as a last resort, completely wipe data remotely. There are also similar services managed by manufacturers' software overlays, such as Samsung's SmartThings Find.

However, these features present significant compromises: They centralize your sensitive information (geolocation, logins, remote access, etc.) on the servers of a private company, and require you to keep your location enabled.

If you choose to implement them anyway, test these features in advance to make sure they'll work properly for the day you actually need them.

Alternatively, if you prefer not to use these remote control services, I strongly recommend that you back up your phone's data regularly to avoid losing your information if your device is lost or stolen. To limit the risk of an attacker gaining access to your information, set a strong password for your phone lock and SIM card.

We've come to the end of this chapter on best practices for your smartphone. In the next chapter, I'll show you the most suitable solutions for communicating securely and confidentially from your device, whether it is for making calls, exchanging messages or managing your newsgroups.